Description
This article describes what is 'dirty' session and what is the criteria that set a session to be mark as 'dirty'.
Solution
When the FortiGate receives the first packet for a new session (for example, a SYN packet), the unit evaluates if the traffic should or should not be allowed based on the firewall policies. For new sessions, FortiGate performs route and firewall policy lookups upon receiving the first packet(in the original direction).
FortiGate also performs a route lookup--but not a firewall policy lookup for the first reply packet.
Fortigate then saves the information that results from the route lookup the outgoing interface and the gateway to use and the firewall policy lookup policy ID, address translation, inspection, authentication, logging, and so on--to the session.
Fortigate does not perform additional lookups for the session unless the session is flagged as dirty.
As long as there are no changes in the firewall policies and some other conditions, this evaluation is done only on the first session packet.
If the traffic is allowed by a firewall policy, the unit creates a session and flags it as 'may_dirty'.
After that, if there is a change in the firewall policies or any other condition that will trigger the state change, all the existing sessions with the 'may_dirty' flag will be flagged as dirty.
This indicates to FortiGate that it needs to reevaluate the next session packet.
If the session is still allowed/valid and matches the expected firewall policy to be allowed, the dirty flag is removed and the 'may_dirty' flag is kept.
If the session is blocked, it is flagged as blocked and remains in the session table until it expires.
Any packet matching a session with the block flag is dropped.
Below are the conditions that will trigger a session to be marked as 'dirty' when:
1) Any changes on any firewall policy.
2) Routing changes.
3) Any network-related config changes.
